diff --git a/server/mdm/apple/cert.go b/server/mdm/apple/cert.go
index 33eaee8bbb..5edfa5bb6d 100644
--- a/server/mdm/apple/cert.go
+++ b/server/mdm/apple/cert.go
@@ -173,12 +173,12 @@ func GetSignedAPNSCSRNoEmail(client *http.Client, csr *x509.CertificateRequest)
 
 	req, err := http.NewRequest(http.MethodPost, u, bytes.NewReader(b))
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("creating csr signing request for fleetdm api: %w", err)
 	}
 
 	resp, err := client.Do(req)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("sending csr signing request to fleetdm api: %w", err)
 	}
 	defer resp.Body.Close()
 
@@ -189,7 +189,7 @@ func GetSignedAPNSCSRNoEmail(client *http.Client, csr *x509.CertificateRequest)
 
 	var csrResp WebsiteResponse
 	if err := json.Unmarshal(respBytes, &csrResp); err != nil {
-		return nil, err
+		return nil, fmt.Errorf("unmarshalling signed csr response from fleetdm api: %w", err)
 	}
 
 	return csrResp.CSR, nil
diff --git a/server/service/mdm.go b/server/service/mdm.go
index ebdb0e7696..6232b36968 100644
--- a/server/service/mdm.go
+++ b/server/service/mdm.go
@@ -2137,7 +2137,7 @@ func getMDMAppleCSREndpoint(ctx context.Context, request interface{}, svc fleet.
 
 func (svc *Service) GetMDMAppleCSR(ctx context.Context) ([]byte, error) {
 	if err := svc.authz.Authorize(ctx, &fleet.AppleCSR{}, fleet.ActionWrite); err != nil {
-		return nil, ctxerr.Wrap(ctx, err)
+		return nil, err
 	}
 
 	vc, ok := viewer.FromContext(ctx)
diff --git a/server/service/mdm_test.go b/server/service/mdm_test.go
index a5c9635b18..7838259121 100644
--- a/server/service/mdm_test.go
+++ b/server/service/mdm_test.go
@@ -60,6 +60,16 @@ func TestMDMAppleAuthorization(t *testing.T) {
 	license := &fleet.LicenseInfo{Tier: fleet.TierPremium}
 	svc, ctx := newTestService(t, ds, nil, nil, &TestServerOpts{License: license, SkipCreateTestUsers: true})
 
+	ds.GetMDMConfigAssetsByNameFunc = func(ctx context.Context, assetNames []fleet.MDMAssetName) ([]fleet.MDMConfigAsset, error) {
+		return []fleet.MDMConfigAsset{}, nil
+	}
+
+	ds.InsertMDMConfigAssetsFunc = func(ctx context.Context, assets []fleet.MDMConfigAsset) error { return nil }
+
+	ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
+		return &fleet.AppConfig{OrgInfo: fleet.OrgInfo{OrgName: "Nurv"}}, nil
+	}
+
 	// use a custom implementation of checkAuthErr as the service call will fail
 	// with a not found error (given that MDM is not really configured) in case
 	// of success, and the package-wide checkAuthErr requires no error.
@@ -82,6 +92,9 @@ func TestMDMAppleAuthorization(t *testing.T) {
 		_, err = svc.RequestMDMAppleCSR(ctx, "not-an-email", "")
 		require.Error(t, err) // it *will* always fail, but not necessarily due to authorization
 		checkAuthErr(t, shouldFailWithAuth, err)
+
+		_, err = svc.GetMDMAppleCSR(ctx)
+		checkAuthErr(t, shouldFailWithAuth, err)
 	}
 
 	// Only global admins can access the endpoints.